Bizarre Simpson-eque Ethical Dilemma

I'm in a bit a quandary at the moment. A truly bizarre set of circumstances has arisen at work and I'm not sure what to do.

I work in hospitality, for a franchisee of a national chain of about one hundred outlets. Without giving too much away, they use a custom point of sale system that has been written in a scripting language and that resides on each store's local server. I have explored this system because that's what I do, even when I'm not supposed to do it. And I have found a lot of vulnerabilities, back doors, passwords, everything. Why would anyone write a POS system in a scripting language and then leave the code on the server for anyone to see. I don't know. The company that created it are real amateurs, they don't even bother encrypting the passwords.

Which is great for me, because it turns out that this IT company uses the same password to access each of the 100 stores. And because they never thought of coding in any sort of access logs, nobody ever knows when I access another outlet's computer system.

Yes I know it's dodgy as and ethically questionable. That is a problem I have to face every day as I can't resist the temptation to stick my nose in where it doesn't belong.

So anyway I was accessing another stores server yesterday for kicks and I made an astonishing discovery. I found clusters of paid up orders that had been cancelled late at night, every night, around the same time, by the same person. In other words, an employee of this franchisee has been stealing money from the shop, for the past two months.

So you see the dilemma? I want to report this, but I can't do it without admitting to my own wrongdoing.

It's just like the episode of the Simpsons where Bart wagged school and wound up being a witness to the trial of the mayor's nephew.

^That's what I would do. Send an anon-email to the store in question that basically says, "I don't expect you to take my word for it, but it would be in your best interest to check up on what X does with customer orders."

By coming clean, you have an opportunity to a) stop a thief from stealing the company's money and b) alert them to some serious security problems in their computer system, both of which could benefit them. Under the circumstances, they might be inclined to forgive the lesser transgression.

Besides, if you know this person's stealing and you don't report it, that could be interpreted (validly or not, I don't know, but it could be) as being an accessory, which would be an even worse position to be in if you were found out. Trying to hide one's mistakes often leads to worse consequences.

As a rule, Bart Simpson isn't a good role model. I think even he fessed up at the end.

1) Document five or six of the cancellation incidents. Depending on what you can pull, you definitely need dates and times. You need amounts. (I'm assuming these orders are being canceled for cash.) Transaction numbers will be a definite plus.

2) If your company has an anonymous tip line, use that. Every retail company I worked had one. If your company doesn't have an anonymous tip line, write up the details you have and mail it anonymously to your corporate office, ATTN: Loss Prevention.

3) Stop digging around in other stores' computers.

I disagree vehemently with Christopher that coming clean completely will benefit you. LP will take a dim view of you taking advantage of security holes to look at the software and in other people's computers, because they'll want to know everything that you did and they've unlikely to believe that all you did is look.

Your best play there is to wait about three months and then send the corporate office another anonymous letter, this one explaining the security holes and how they can be taken advantage of. You may even want to go so far as to have it mailed from another city (and that's easily accomplished on the 'net -- you write the letter, and have someone in another city mail it for you) so it can't be connected back to your location or the earlier anon letter that outed the thief in the other store.

I disagree vehemently with Christopher that coming clean completely will benefit you.

Click to expand...

Your vehemence is wasted, then. I did not say "will"; I said "might."

And even if it doesn't benefit him personally, that doesn't mean it isn't still the right thing to do. Letting someone else get away with wrongdoing just to protect yourself is never right.

And has it occurred to anyone that a person's anonymity on a public bulletin board is not absolute? There are ways to identify posters through their ISPs, or by subpoenaing a board's registration records. So just by confessing the act on this board, Collingwood Nick, you may have already potentially exposed yourself. Perhaps you should consider talking to a lawyer instead of taking advice from a bunch of strangers online. At least then your conversations would be privileged.

I appreciate the advice everyone. Of course I don't have to do anything at all, I can just forget what I have learned and worry about my own store. But that doesn't sit right with me. Might be time to draft an anonymous letter.

And has it occurred to anyone that a person's anonymity on a public bulletin board is not absolute? There are ways to identify posters through their ISPs, or by subpoenaing a board's registration records.

Click to expand...

I weighed up the risks before posting this and decided they were acceptable.

If you can access things truly anonymously, start "uncancelling" some of those transactions. Eventually the person in the wrong will be found out when they can't explain the books not balancing and the security holes revealed at the same time.

If you can access things truly anonymously, start "uncancelling" some of those transactions. Eventually the person in the wrong will be found out when they can't explain the books not balancing and the security holes revealed at the same time.

Click to expand...

I had thought of that. It is true that the POS software itself doesn't record logins or actions, but the computer still has server logs and even if the franchisee doesn't know to look at them, the police will if they become involved.

And unusual entries in the server logs linked with unusual transaction activity might lead them to the conclusion that a hacker is responsible, not an in store thief.

I had thought of a whole heap of schemes based around 'logging in and changing something' but that can only lead to more trouble for me.

I'm looking at an anonymous phone call to the store owner. He is the person who is losing money in all this.

Great success. The thief is going to lose his job tomorrow, the franchisee is grateful for the information I provided (and mildly embarrassed that he had been stooged for so long), and Nick escapes with a thank you instead of a visit to the police station.

Sometimes it pays to put self interest aside and do the right thing. Who knew?

Great success. The thief is going to lose his job tomorrow, the franchisee is grateful for the information I provided (and mildly embarrassed that he had been stooged for so long), and Nick escapes with a thank you instead of a visit to the police station.

Sometimes it pays to put self interest aside and do the right thing. Who knew?